Risk perception and Cloud security

My dad is currently in the process of preparing a module for a course he’s running at UCL next year, and asked me a specific question this morning:

When looking at the benefits and disadvantages of moving from in-house to cloud computing, security issues aren’t prominent yet surveys show that security is the biggest single concern. Why might this be?

My gut feel is that there are a few things at play here:

“Because it’s on the internet it must be less safe than being on a closed network” might be going around the mind of the IT manager, but implicitly they might be thinking “Because I can’t control it down to the server level, I don’t want accountability for something I’m not responsible for.”

The reality is that “closed” networks no longer exist. Everything is a hybrid of private and public network these days, and often the most valuable business tools (inter-org email, for example) rely on the open Internet. However, giving control of something to a third party is a matter of trust.

The reality of any organisation providing cloud services is that their business reputation depends upon security amongst other factors, and so are (in my mind) more likely to provide high quality service because otherwise they’ll be out of business pretty soon.

There’s one other factor, related to perceptions of risk, which is what the I heard the author Nick Carr describe as “the airline problem” – that planes are incredibly safe (relative to many other forms of transport) but “they kill people in batches”. So it is for cloud services: if anything goes wrong, then it’s big news because of the concurrency of people impacted. Although there have been some fairly significant outages on services like AWS, I can’t recall any security problems with any of the major “as a service” providers (although things like password breaches and so on are more common on web sites). As a species, though, we’re uniquely ill-designed for assessing and managing risk.